2015-05-22 13:32 GMT+02:00 Gabriel Franca <gabriel.franca at gmail.com>:> > I found it strange more and something I have already noticed a while. > > No GPO is applied when the User is the "Domain Users", so I wonder if I'm > doing something wrong or I have to change something. > > I believe the "Domain Users" are not allowed to change the Windows > registry so the issue. > > Sincerely, > > Gabriel Franca > >I don't know if is a Windows problem, but i've got the same behavior trying to set Firewall rules. I've fixed the problem changing the "Domain Users" in GPO "Security Filter" for "Authenticated Users" and now is working fine. I hope this help. Greetings!!> > > Em 22/05/2015, ?(s) 02:31, Neil <nwilson123 at gmail.com> escreveu: > > > > Good morning everyone, > > > > Gabriel: I haven't had a chance to test this yet, but I'm also needing > the same IE: Domain Users to have the GPO applied. Did you come right with > this? > > > > Andrey: Thank you for letting me know about the SysVol replication > across DC's, I haven't enabled this yet and will be doing so, is there > anything I should watch out for? I'll just be using the " > https://wiki.samba.org/index.php/SysVol_Replication < > https://wiki.samba.org/index.php/SysVol_Replication>" because I don't > require Bi-Directional Replication. > > > > Thank you. > > > > Regards. > > > > Neil Wilson. > > > > > > On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca < > gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>> wrote: > > Good morning friends !!! > > > > I am following this topic and performed some tests to validate the > process and noted the following. > > > > 1) when the User is the "Domain Users" GPO is not applied. > > > > 2) when the user is the "Domain Admins" the GPO is applied. > > > > Is there any way to apply the GPOS "Domain Users" ??? > > > > Sincerely, > > > > Gabriel Franca > > > > > > > Em 20/05/2015, ?(s) 09:37, Neil <nwilson123 at gmail.com <mailto: > nwilson123 at gmail.com>> escreveu: > > > > > > Hi Louis, > > > > > > Thank you very much for your speedy response. I'll definitely go ahead > and > > > investigate further. > > > > > > Much appreciated. > > > > > > Regards. > > > > > > Neil Wilson. > > > > > > On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle <belle at bazuin.nl > <mailto:belle at bazuin.nl>> wrote: > > > > > >> yes, this is possible, by GPO. > > >> > > >> In GPO, go to: > > >> (user or computer )Configuration > > >> - Policy > > >> ? Administrative template > > >> ? System > > >> ? Removable storage Access > > >> > > >> Play with these settings to get what you want. > > >> > > >> for Managing Hardware Restrictions via Group Policy read : > > >> http://technet.microsoft.com/en-us/magazine/cc138012.aspx < > http://technet.microsoft.com/en-us/magazine/cc138012.aspx> > > >> > > >> > > >> Greetz, > > >> > > >> Louis > > >> > > >> > > >> > > >> > > >>> -----Oorspronkelijk bericht----- > > >>> Van: nwilson123 at gmail.com <mailto:nwilson123 at gmail.com> > > >>> [mailto:samba-bounces at lists.samba.org <mailto: > samba-bounces at lists.samba.org>] Namens Neil > > >>> Verzonden: woensdag 20 mei 2015 12:10 > > >>> Aan: samba > > >>> Onderwerp: [Samba] Samba4 Disable USB ports > > >>> > > >>> Hi guys, > > >>> > > >>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another 4 > > >>> Samba4 DC's all joined to the same AD domain myorg.local > > >>> > > >>> My client wants me to disable all USB ports for all the users > > >>> joined to the > > >>> domain. > > >>> > > >>> Is it possible to do this via a group policy so that users > > >>> logging onto any > > >>> of the DC's will not be able to use their USB ports? > > >>> > > >>> I currently admin my AD with a combination of the samba-tool > > >>> as well as the > > >>> AD Users and Groups MMC Windows utility. > > >>> > > >>> Any guidance is greatly appreciated. > > >>> > > >>> Thank you. > > >>> > > >>> Regards. > > >>> > > >>> Neil Wilson > > >>> -- > > >>> To unsubscribe from this list go to the following URL and read the > > >>> instructions: https://lists.samba.org/mailman/options/samba < > https://lists.samba.org/mailman/options/samba> > > >>> > > >>> > > >> > > >> -- > > >> To unsubscribe from this list go to the following URL and read the > > >> instructions: https://lists.samba.org/mailman/options/samba < > https://lists.samba.org/mailman/options/samba> > > >> > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba < > https://lists.samba.org/mailman/options/samba> > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Good morning Daniel, The amendment that I spoke have to be done on the server. All user created in Samba4 receives the "Domain Users" group as primary. I did several tests on the GPO to no avail. When I took the User of the "Domain Users" and put in "Domain Admins" the GPO to make any changes now operates. I believe that because of the "Domain Users" did not have privileges to edit the GPO record in the station can not be applied. I wonder if the guys who are using Samba 4, is using successfully GPOS the "Domain Users" Sincerely, Gabriel Franca> Em 22/05/2015, ?(s) 09:01, Daniel Carrasco Mar?n <danielmadrid19 at gmail.com> escreveu: > > > > 2015-05-22 13:32 GMT+02:00 Gabriel Franca <gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>>: > > I found it strange more and something I have already noticed a while. > > No GPO is applied when the User is the "Domain Users", so I wonder if I'm doing something wrong or I have to change something. > > I believe the "Domain Users" are not allowed to change the Windows registry so the issue. > > Sincerely, > > Gabriel Franca > > > I don't know if is a Windows problem, but i've got the same behavior trying to set Firewall rules. I've fixed the problem changing the "Domain Users" in GPO "Security Filter" for "Authenticated Users" and now is working fine. > > I hope this help. > > Greetings!! > > > > Em 22/05/2015, ?(s) 02:31, Neil <nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>> escreveu: > > > > Good morning everyone, > > > > Gabriel: I haven't had a chance to test this yet, but I'm also needing the same IE: Domain Users to have the GPO applied. Did you come right with this? > > > > Andrey: Thank you for letting me know about the SysVol replication across DC's, I haven't enabled this yet and will be doing so, is there anything I should watch out for? I'll just be using the "https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication> <https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication>>" because I don't require Bi-Directional Replication. > > > > Thank you. > > > > Regards. > > > > Neil Wilson. > > > > > > On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca <gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com> <mailto:gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>>> wrote: > > Good morning friends !!! > > > > I am following this topic and performed some tests to validate the process and noted the following. > > > > 1) when the User is the "Domain Users" GPO is not applied. > > > > 2) when the user is the "Domain Admins" the GPO is applied. > > > > Is there any way to apply the GPOS "Domain Users" ??? > > > > Sincerely, > > > > Gabriel Franca > > > > > > > Em 20/05/2015, ?(s) 09:37, Neil <nwilson123 at gmail.com <mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>>> escreveu: > > > > > > Hi Louis, > > > > > > Thank you very much for your speedy response. I'll definitely go ahead and > > > investigate further. > > > > > > Much appreciated. > > > > > > Regards. > > > > > > Neil Wilson. > > > > > > On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle <belle at bazuin.nl <mailto:belle at bazuin.nl> <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>> wrote: > > > > > >> yes, this is possible, by GPO. > > >> > > >> In GPO, go to: > > >> (user or computer )Configuration > > >> - Policy > > >> ? Administrative template > > >> ? System > > >> ? Removable storage Access > > >> > > >> Play with these settings to get what you want. > > >> > > >> for Managing Hardware Restrictions via Group Policy read : > > >> http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx>> > > >> > > >> > > >> Greetz, > > >> > > >> Louis > > >> > > >> > > >> > > >> > > >>> -----Oorspronkelijk bericht----- > > >>> Van: nwilson123 at gmail.com <mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>> > > >>> [mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org> <mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org>>] Namens Neil > > >>> Verzonden: woensdag 20 mei 2015 12:10 > > >>> Aan: samba > > >>> Onderwerp: [Samba] Samba4 Disable USB ports > > >>> > > >>> Hi guys, > > >>> > > >>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another 4 > > >>> Samba4 DC's all joined to the same AD domain myorg.local > > >>> > > >>> My client wants me to disable all USB ports for all the users > > >>> joined to the > > >>> domain. > > >>> > > >>> Is it possible to do this via a group policy so that users > > >>> logging onto any > > >>> of the DC's will not be able to use their USB ports? > > >>> > > >>> I currently admin my AD with a combination of the samba-tool > > >>> as well as the > > >>> AD Users and Groups MMC Windows utility. > > >>> > > >>> Any guidance is greatly appreciated. > > >>> > > >>> Thank you. > > >>> > > >>> Regards. > > >>> > > >>> Neil Wilson > > >>> -- > > >>> To unsubscribe from this list go to the following URL and read the > > >>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> > > >>> > > >>> > > >> > > >> -- > > >> To unsubscribe from this list go to the following URL and read the > > >> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> > > >> > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
2015-05-22 14:08 GMT+02:00 Gabriel Franca <gabriel.franca at gmail.com>:> Good morning Daniel, > > The amendment that I spoke have to be done on the server. > > All user created in Samba4 receives the "Domain Users" group as primary. > > I did several tests on the GPO to no avail. > > When I took the User of the "Domain Users" and put in "Domain Admins" the > GPO to make any changes now operates. > > I believe that because of the "Domain Users" did not have privileges to > edit the GPO record in the station can not be applied. > > I wonder if the guys who are using Samba 4, is using successfully GPOS the > "Domain Users" > > Sincerely, > > Gabriel Franca >Good morning Gabriel, Yes, I know it, and i'm talking about GPO policies on a Samba 4 AD using RSAT tools. I don't know why but it happen just as you said, when you try to set a policy to a "Domain Users" or "Domain Computers" is not applied, but if you use "Authenticated Users" as "Security Filter" on GPO then it works. I attach two images so you see what I mean. Greetings!!> > > Em 22/05/2015, ?(s) 09:01, Daniel Carrasco Mar?n <danielmadrid19 at gmail.com> > escreveu: > > > > 2015-05-22 13:32 GMT+02:00 Gabriel Franca <gabriel.franca at gmail.com>: > >> >> I found it strange more and something I have already noticed a while. >> >> No GPO is applied when the User is the "Domain Users", so I wonder if I'm >> doing something wrong or I have to change something. >> >> I believe the "Domain Users" are not allowed to change the Windows >> registry so the issue. >> >> Sincerely, >> >> Gabriel Franca >> >> > I don't know if is a Windows problem, but i've got the same behavior > trying to set Firewall rules. I've fixed the problem changing the "Domain > Users" in GPO "Security Filter" for "Authenticated Users" and now is > working fine. > > I hope this help. > > Greetings!! > > >> >> > Em 22/05/2015, ?(s) 02:31, Neil <nwilson123 at gmail.com> escreveu: >> > >> > Good morning everyone, >> > >> > Gabriel: I haven't had a chance to test this yet, but I'm also needing >> the same IE: Domain Users to have the GPO applied. Did you come right with >> this? >> > >> > Andrey: Thank you for letting me know about the SysVol replication >> across DC's, I haven't enabled this yet and will be doing so, is there >> anything I should watch out for? I'll just be using the " >> https://wiki.samba.org/index.php/SysVol_Replication < >> https://wiki.samba.org/index.php/SysVol_Replication>" because I don't >> require Bi-Directional Replication. >> > >> > Thank you. >> > >> > Regards. >> > >> > Neil Wilson. >> > >> > >> > On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca < >> gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>> wrote: >> > Good morning friends !!! >> > >> > I am following this topic and performed some tests to validate the >> process and noted the following. >> > >> > 1) when the User is the "Domain Users" GPO is not applied. >> > >> > 2) when the user is the "Domain Admins" the GPO is applied. >> > >> > Is there any way to apply the GPOS "Domain Users" ??? >> > >> > Sincerely, >> > >> > Gabriel Franca >> > >> > >> > > Em 20/05/2015, ?(s) 09:37, Neil <nwilson123 at gmail.com <mailto: >> nwilson123 at gmail.com>> escreveu: >> > > >> > > Hi Louis, >> > > >> > > Thank you very much for your speedy response. I'll definitely go >> ahead and >> > > investigate further. >> > > >> > > Much appreciated. >> > > >> > > Regards. >> > > >> > > Neil Wilson. >> > > >> > > On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle <belle at bazuin.nl >> <mailto:belle at bazuin.nl>> wrote: >> > > >> > >> yes, this is possible, by GPO. >> > >> >> > >> In GPO, go to: >> > >> (user or computer )Configuration >> > >> - Policy >> > >> ? Administrative template >> > >> ? System >> > >> ? Removable storage Access >> > >> >> > >> Play with these settings to get what you want. >> > >> >> > >> for Managing Hardware Restrictions via Group Policy read : >> > >> http://technet.microsoft.com/en-us/magazine/cc138012.aspx < >> http://technet.microsoft.com/en-us/magazine/cc138012.aspx> >> > >> >> > >> >> > >> Greetz, >> > >> >> > >> Louis >> > >> >> > >> >> > >> >> > >> >> > >>> -----Oorspronkelijk bericht----- >> > >>> Van: nwilson123 at gmail.com <mailto:nwilson123 at gmail.com> >> > >>> [mailto:samba-bounces at lists.samba.org <mailto: >> samba-bounces at lists.samba.org>] Namens Neil >> > >>> Verzonden: woensdag 20 mei 2015 12:10 >> > >>> Aan: samba >> > >>> Onderwerp: [Samba] Samba4 Disable USB ports >> > >>> >> > >>> Hi guys, >> > >>> >> > >>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another >> 4 >> > >>> Samba4 DC's all joined to the same AD domain myorg.local >> > >>> >> > >>> My client wants me to disable all USB ports for all the users >> > >>> joined to the >> > >>> domain. >> > >>> >> > >>> Is it possible to do this via a group policy so that users >> > >>> logging onto any >> > >>> of the DC's will not be able to use their USB ports? >> > >>> >> > >>> I currently admin my AD with a combination of the samba-tool >> > >>> as well as the >> > >>> AD Users and Groups MMC Windows utility. >> > >>> >> > >>> Any guidance is greatly appreciated. >> > >>> >> > >>> Thank you. >> > >>> >> > >>> Regards. >> > >>> >> > >>> Neil Wilson >> > >>> -- >> > >>> To unsubscribe from this list go to the following URL and read the >> > >>> instructions: https://lists.samba.org/mailman/options/samba < >> https://lists.samba.org/mailman/options/samba> >> > >>> >> > >>> >> > >> >> > >> -- >> > >> To unsubscribe from this list go to the following URL and read the >> > >> instructions: https://lists.samba.org/mailman/options/samba < >> https://lists.samba.org/mailman/options/samba> >> > >> >> > > -- >> > > To unsubscribe from this list go to the following URL and read the >> > > instructions: https://lists.samba.org/mailman/options/samba < >> https://lists.samba.org/mailman/options/samba> >> > >> > >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > >
Hai,>I don't know if is a Windows problem, but i've got the same behavior trying >to set Firewall rules. I've fixed the problem changing the "Domain Users" >in GPO "Security Filter" for "Authenticated Users" and now is working fine.i suggest you start reading from here. http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part1.html http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part2.html http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part3.html I bet your missing a right as shown in Part 2, picture 3. ( the Aply group policy right ) and you can try with adding : acl_xattr:ignore system acl = yes to netlogon and sysvol share. Louis>-----Oorspronkelijk bericht----- >Van: gabriel.franca at gmail.com >[mailto:samba-bounces at lists.samba.org] Namens Gabriel Franca >Verzonden: vrijdag 22 mei 2015 14:09 >Aan: Daniel Carrasco Mar?n >CC: samba at lists.samba.org; Neil >Onderwerp: Re: [Samba] Samba4 Disable USB ports > >Good morning Daniel, > >The amendment that I spoke have to be done on the server. > >All user created in Samba4 receives the "Domain Users" group >as primary. > >I did several tests on the GPO to no avail. > >When I took the User of the "Domain Users" and put in "Domain >Admins" the GPO to make any changes now operates. > >I believe that because of the "Domain Users" did not have >privileges to edit the GPO record in the station can not be applied. > >I wonder if the guys who are using Samba 4, is using >successfully GPOS the "Domain Users" > >Sincerely, > >Gabriel Franca > > > >> Em 22/05/2015, ?(s) 09:01, Daniel Carrasco Mar?n ><danielmadrid19 at gmail.com> escreveu: >> >> >> >> 2015-05-22 13:32 GMT+02:00 Gabriel Franca ><gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>>: >> >> I found it strange more and something I have already noticed a while. >> >> No GPO is applied when the User is the "Domain Users", so I >wonder if I'm doing something wrong or I have to change something. >> >> I believe the "Domain Users" are not allowed to change the >Windows registry so the issue. >> >> Sincerely, >> >> Gabriel Franca >> >> >> I don't know if is a Windows problem, but i've got the same >behavior trying to set Firewall rules. I've fixed the problem >changing the "Domain Users" in GPO "Security Filter" for >"Authenticated Users" and now is working fine. >> >> I hope this help. >> >> Greetings!! >> >> >> > Em 22/05/2015, ?(s) 02:31, Neil <nwilson123 at gmail.com ><mailto:nwilson123 at gmail.com>> escreveu: >> > >> > Good morning everyone, >> > >> > Gabriel: I haven't had a chance to test this yet, but I'm >also needing the same IE: Domain Users to have the GPO >applied. Did you come right with this? >> > >> > Andrey: Thank you for letting me know about the SysVol >replication across DC's, I haven't enabled this yet and will >be doing so, is there anything I should watch out for? I'll >just be using the >"https://wiki.samba.org/index.php/SysVol_Replication ><https://wiki.samba.org/index.php/SysVol_Replication> ><https://wiki.samba.org/index.php/SysVol_Replication ><https://wiki.samba.org/index.php/SysVol_Replication>>" >because I don't require Bi-Directional Replication. >> > >> > Thank you. >> > >> > Regards. >> > >> > Neil Wilson. >> > >> > >> > On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca ><gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com> ><mailto:gabriel.franca at gmail.com ><mailto:gabriel.franca at gmail.com>>> wrote: >> > Good morning friends !!! >> > >> > I am following this topic and performed some tests to >validate the process and noted the following. >> > >> > 1) when the User is the "Domain Users" GPO is not applied. >> > >> > 2) when the user is the "Domain Admins" the GPO is applied. >> > >> > Is there any way to apply the GPOS "Domain Users" ??? >> > >> > Sincerely, >> > >> > Gabriel Franca >> > >> > >> > > Em 20/05/2015, ?(s) 09:37, Neil <nwilson123 at gmail.com ><mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com ><mailto:nwilson123 at gmail.com>>> escreveu: >> > > >> > > Hi Louis, >> > > >> > > Thank you very much for your speedy response. I'll >definitely go ahead and >> > > investigate further. >> > > >> > > Much appreciated. >> > > >> > > Regards. >> > > >> > > Neil Wilson. >> > > >> > > On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle ><belle at bazuin.nl <mailto:belle at bazuin.nl> ><mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>> wrote: >> > > >> > >> yes, this is possible, by GPO. >> > >> >> > >> In GPO, go to: >> > >> (user or computer )Configuration >> > >> - Policy >> > >> ? Administrative template >> > >> ? System >> > >> ? Removable storage Access >> > >> >> > >> Play with these settings to get what you want. >> > >> >> > >> for Managing Hardware Restrictions via Group Policy read : >> > >> >http://technet.microsoft.com/en-us/magazine/cc138012.aspx ><http://technet.microsoft.com/en-us/magazine/cc138012.aspx> ><http://technet.microsoft.com/en-us/magazine/cc138012.aspx ><http://technet.microsoft.com/en-us/magazine/cc138012.aspx>> >> > >> >> > >> >> > >> Greetz, >> > >> >> > >> Louis >> > >> >> > >> >> > >> >> > >> >> > >>> -----Oorspronkelijk bericht----- >> > >>> Van: nwilson123 at gmail.com ><mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com ><mailto:nwilson123 at gmail.com>> >> > >>> [mailto:samba-bounces at lists.samba.org ><mailto:samba-bounces at lists.samba.org> ><mailto:samba-bounces at lists.samba.org ><mailto:samba-bounces at lists.samba.org>>] Namens Neil >> > >>> Verzonden: woensdag 20 mei 2015 12:10 >> > >>> Aan: samba >> > >>> Onderwerp: [Samba] Samba4 Disable USB ports >> > >>> >> > >>> Hi guys, >> > >>> >> > >>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC >with another 4 >> > >>> Samba4 DC's all joined to the same AD domain myorg.local >> > >>> >> > >>> My client wants me to disable all USB ports for all the users >> > >>> joined to the >> > >>> domain. >> > >>> >> > >>> Is it possible to do this via a group policy so that users >> > >>> logging onto any >> > >>> of the DC's will not be able to use their USB ports? >> > >>> >> > >>> I currently admin my AD with a combination of the samba-tool >> > >>> as well as the >> > >>> AD Users and Groups MMC Windows utility. >> > >>> >> > >>> Any guidance is greatly appreciated. >> > >>> >> > >>> Thank you. >> > >>> >> > >>> Regards. >> > >>> >> > >>> Neil Wilson >> > >>> -- >> > >>> To unsubscribe from this list go to the following URL >and read the >> > >>> instructions: >https://lists.samba.org/mailman/options/samba ><https://lists.samba.org/mailman/options/samba> ><https://lists.samba.org/mailman/options/samba ><https://lists.samba.org/mailman/options/samba>> >> > >>> >> > >>> >> > >> >> > >> -- >> > >> To unsubscribe from this list go to the following URL >and read the >> > >> instructions: >https://lists.samba.org/mailman/options/samba ><https://lists.samba.org/mailman/options/samba> ><https://lists.samba.org/mailman/options/samba ><https://lists.samba.org/mailman/options/samba>> >> > >> >> > > -- >> > > To unsubscribe from this list go to the following URL >and read the >> > > instructions: >https://lists.samba.org/mailman/options/samba ><https://lists.samba.org/mailman/options/samba> ><https://lists.samba.org/mailman/options/samba ><https://lists.samba.org/mailman/options/samba>> >> > >> > >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba ><https://lists.samba.org/mailman/options/samba> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba >
2015-05-22 14:26 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:> > Hai, > > >I don't know if is a Windows problem, but i've got the same behavior > trying > >to set Firewall rules. I've fixed the problem changing the "Domain Users" > >in GPO "Security Filter" for "Authenticated Users" and now is working > fine. > > i suggest you start reading from here. > > http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part1.html > > http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part2.html > > http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part3.html > > I bet your missing a right as shown in Part 2, picture 3. ( the Aply group > policy right ) > > and you can try with adding : > acl_xattr:ignore system acl = yes > to netlogon and sysvol share. > > Louis > >Thanks, is very interesting. Mine is working fine with "Authenticated Users" and is configured like the image, then i don't have problems with that ;). The problem is when you delete "Authenticated Users" from that GPO and use "Domain Users" instead. The permissions are the same as "Authenticated Users" (and the image of the second link) but the GPO access is denied... For me isn't a problem because i want to set that GPO to all users, but maybe Gabriel want to set the USB only to "Domain Users" and allow to "Domain Admins" to use the usb ports. Greetings!!> > >-----Oorspronkelijk bericht----- > >Van: gabriel.franca at gmail.com > >[mailto:samba-bounces at lists.samba.org] Namens Gabriel Franca > >Verzonden: vrijdag 22 mei 2015 14:09 > >Aan: Daniel Carrasco Mar?n > >CC: samba at lists.samba.org; Neil > >Onderwerp: Re: [Samba] Samba4 Disable USB ports > > > >Good morning Daniel, > > > >The amendment that I spoke have to be done on the server. > > > >All user created in Samba4 receives the "Domain Users" group > >as primary. > > > >I did several tests on the GPO to no avail. > > > >When I took the User of the "Domain Users" and put in "Domain > >Admins" the GPO to make any changes now operates. > > > >I believe that because of the "Domain Users" did not have > >privileges to edit the GPO record in the station can not be applied. > > > >I wonder if the guys who are using Samba 4, is using > >successfully GPOS the "Domain Users" > > > >Sincerely, > > > >Gabriel Franca > > > > > > > >> Em 22/05/2015, ?(s) 09:01, Daniel Carrasco Mar?n > ><danielmadrid19 at gmail.com> escreveu: > >> > >> > >> > >> 2015-05-22 13:32 GMT+02:00 Gabriel Franca > ><gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>>: > >> > >> I found it strange more and something I have already noticed a while. > >> > >> No GPO is applied when the User is the "Domain Users", so I > >wonder if I'm doing something wrong or I have to change something. > >> > >> I believe the "Domain Users" are not allowed to change the > >Windows registry so the issue. > >> > >> Sincerely, > >> > >> Gabriel Franca > >> > >> > >> I don't know if is a Windows problem, but i've got the same > >behavior trying to set Firewall rules. I've fixed the problem > >changing the "Domain Users" in GPO "Security Filter" for > >"Authenticated Users" and now is working fine. > >> > >> I hope this help. > >> > >> Greetings!! > >> > >> > >> > Em 22/05/2015, ?(s) 02:31, Neil <nwilson123 at gmail.com > ><mailto:nwilson123 at gmail.com>> escreveu: > >> > > >> > Good morning everyone, > >> > > >> > Gabriel: I haven't had a chance to test this yet, but I'm > >also needing the same IE: Domain Users to have the GPO > >applied. Did you come right with this? > >> > > >> > Andrey: Thank you for letting me know about the SysVol > >replication across DC's, I haven't enabled this yet and will > >be doing so, is there anything I should watch out for? I'll > >just be using the > >"https://wiki.samba.org/index.php/SysVol_Replication > ><https://wiki.samba.org/index.php/SysVol_Replication> > ><https://wiki.samba.org/index.php/SysVol_Replication > ><https://wiki.samba.org/index.php/SysVol_Replication>>" > >because I don't require Bi-Directional Replication. > >> > > >> > Thank you. > >> > > >> > Regards. > >> > > >> > Neil Wilson. > >> > > >> > > >> > On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca > ><gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com> > ><mailto:gabriel.franca at gmail.com > ><mailto:gabriel.franca at gmail.com>>> wrote: > >> > Good morning friends !!! > >> > > >> > I am following this topic and performed some tests to > >validate the process and noted the following. > >> > > >> > 1) when the User is the "Domain Users" GPO is not applied. > >> > > >> > 2) when the user is the "Domain Admins" the GPO is applied. > >> > > >> > Is there any way to apply the GPOS "Domain Users" ??? > >> > > >> > Sincerely, > >> > > >> > Gabriel Franca > >> > > >> > > >> > > Em 20/05/2015, ?(s) 09:37, Neil <nwilson123 at gmail.com > ><mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com > ><mailto:nwilson123 at gmail.com>>> escreveu: > >> > > > >> > > Hi Louis, > >> > > > >> > > Thank you very much for your speedy response. I'll > >definitely go ahead and > >> > > investigate further. > >> > > > >> > > Much appreciated. > >> > > > >> > > Regards. > >> > > > >> > > Neil Wilson. > >> > > > >> > > On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle > ><belle at bazuin.nl <mailto:belle at bazuin.nl> > ><mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>> wrote: > >> > > > >> > >> yes, this is possible, by GPO. > >> > >> > >> > >> In GPO, go to: > >> > >> (user or computer )Configuration > >> > >> - Policy > >> > >> ? Administrative template > >> > >> ? System > >> > >> ? Removable storage Access > >> > >> > >> > >> Play with these settings to get what you want. > >> > >> > >> > >> for Managing Hardware Restrictions via Group Policy read : > >> > >> > >http://technet.microsoft.com/en-us/magazine/cc138012.aspx > ><http://technet.microsoft.com/en-us/magazine/cc138012.aspx> > ><http://technet.microsoft.com/en-us/magazine/cc138012.aspx > ><http://technet.microsoft.com/en-us/magazine/cc138012.aspx>> > >> > >> > >> > >> > >> > >> Greetz, > >> > >> > >> > >> Louis > >> > >> > >> > >> > >> > >> > >> > >> > >> > >>> -----Oorspronkelijk bericht----- > >> > >>> Van: nwilson123 at gmail.com > ><mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com > ><mailto:nwilson123 at gmail.com>> > >> > >>> [mailto:samba-bounces at lists.samba.org > ><mailto:samba-bounces at lists.samba.org> > ><mailto:samba-bounces at lists.samba.org > ><mailto:samba-bounces at lists.samba.org>>] Namens Neil > >> > >>> Verzonden: woensdag 20 mei 2015 12:10 > >> > >>> Aan: samba > >> > >>> Onderwerp: [Samba] Samba4 Disable USB ports > >> > >>> > >> > >>> Hi guys, > >> > >>> > >> > >>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC > >with another 4 > >> > >>> Samba4 DC's all joined to the same AD domain myorg.local > >> > >>> > >> > >>> My client wants me to disable all USB ports for all the users > >> > >>> joined to the > >> > >>> domain. > >> > >>> > >> > >>> Is it possible to do this via a group policy so that users > >> > >>> logging onto any > >> > >>> of the DC's will not be able to use their USB ports? > >> > >>> > >> > >>> I currently admin my AD with a combination of the samba-tool > >> > >>> as well as the > >> > >>> AD Users and Groups MMC Windows utility. > >> > >>> > >> > >>> Any guidance is greatly appreciated. > >> > >>> > >> > >>> Thank you. > >> > >>> > >> > >>> Regards. > >> > >>> > >> > >>> Neil Wilson > >> > >>> -- > >> > >>> To unsubscribe from this list go to the following URL > >and read the > >> > >>> instructions: > >https://lists.samba.org/mailman/options/samba > ><https://lists.samba.org/mailman/options/samba> > ><https://lists.samba.org/mailman/options/samba > ><https://lists.samba.org/mailman/options/samba>> > >> > >>> > >> > >>> > >> > >> > >> > >> -- > >> > >> To unsubscribe from this list go to the following URL > >and read the > >> > >> instructions: > >https://lists.samba.org/mailman/options/samba > ><https://lists.samba.org/mailman/options/samba> > ><https://lists.samba.org/mailman/options/samba > ><https://lists.samba.org/mailman/options/samba>> > >> > >> > >> > > -- > >> > > To unsubscribe from this list go to the following URL > >and read the > >> > > instructions: > >https://lists.samba.org/mailman/options/samba > ><https://lists.samba.org/mailman/options/samba> > ><https://lists.samba.org/mailman/options/samba > ><https://lists.samba.org/mailman/options/samba>> > >> > > >> > > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > ><https://lists.samba.org/mailman/options/samba> > > > >-- > >To unsubscribe from this list go to the following URL and read the > >instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hello Gabriel, I recommend you use gpupdate /force on the windows command line after login. The results of above command can be checked afterwards with the "gpresults" command. Can be you have an permission problem on your samba server. Only skimmed ofver the thread but did you try samba-tools ntacl sysvolreset on your samba server? achim~ Am 22.05.2015 um 12:08 schrieb Gabriel Franca:> Good morning Daniel, > > The amendment that I spoke have to be done on the server. > > All user created in Samba4 receives the "Domain Users" group as primary. > > I did several tests on the GPO to no avail. > > When I took the User of the "Domain Users" and put in "Domain Admins" the GPO to make any changes now operates. > > I believe that because of the "Domain Users" did not have privileges to edit the GPO record in the station can not be applied. > > I wonder if the guys who are using Samba 4, is using successfully GPOS the "Domain Users" > > Sincerely, > > Gabriel Franca > > > >> Em 22/05/2015, ?(s) 09:01, Daniel Carrasco Mar?n <danielmadrid19 at gmail.com> escreveu: >> >> >> >> 2015-05-22 13:32 GMT+02:00 Gabriel Franca <gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>>: >> >> I found it strange more and something I have already noticed a while. >> >> No GPO is applied when the User is the "Domain Users", so I wonder if I'm doing something wrong or I have to change something. >> >> I believe the "Domain Users" are not allowed to change the Windows registry so the issue. >> >> Sincerely, >> >> Gabriel Franca >> >> >> I don't know if is a Windows problem, but i've got the same behavior trying to set Firewall rules. I've fixed the problem changing the "Domain Users" in GPO "Security Filter" for "Authenticated Users" and now is working fine. >> >> I hope this help. >> >> Greetings!! >> >> >>> Em 22/05/2015, ?(s) 02:31, Neil <nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>> escreveu: >>> >>> Good morning everyone, >>> >>> Gabriel: I haven't had a chance to test this yet, but I'm also needing the same IE: Domain Users to have the GPO applied. Did you come right with this? >>> >>> Andrey: Thank you for letting me know about the SysVol replication across DC's, I haven't enabled this yet and will be doing so, is there anything I should watch out for? I'll just be using the "https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication> <https://wiki.samba.org/index.php/SysVol_Replication <https://wiki.samba.org/index.php/SysVol_Replication>>" because I don't require Bi-Directional Replication. >>> >>> Thank you. >>> >>> Regards. >>> >>> Neil Wilson. >>> >>> >>> On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca <gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com> <mailto:gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>>> wrote: >>> Good morning friends !!! >>> >>> I am following this topic and performed some tests to validate the process and noted the following. >>> >>> 1) when the User is the "Domain Users" GPO is not applied. >>> >>> 2) when the user is the "Domain Admins" the GPO is applied. >>> >>> Is there any way to apply the GPOS "Domain Users" ??? >>> >>> Sincerely, >>> >>> Gabriel Franca >>> >>> >>>> Em 20/05/2015, ?(s) 09:37, Neil <nwilson123 at gmail.com <mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>>> escreveu: >>>> >>>> Hi Louis, >>>> >>>> Thank you very much for your speedy response. I'll definitely go ahead and >>>> investigate further. >>>> >>>> Much appreciated. >>>> >>>> Regards. >>>> >>>> Neil Wilson. >>>> >>>> On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle <belle at bazuin.nl <mailto:belle at bazuin.nl> <mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>> wrote: >>>> >>>>> yes, this is possible, by GPO. >>>>> >>>>> In GPO, go to: >>>>> (user or computer )Configuration >>>>> - Policy >>>>> ? Administrative template >>>>> ? System >>>>> ? Removable storage Access >>>>> >>>>> Play with these settings to get what you want. >>>>> >>>>> for Managing Hardware Restrictions via Group Policy read : >>>>> http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx> <http://technet.microsoft.com/en-us/magazine/cc138012.aspx <http://technet.microsoft.com/en-us/magazine/cc138012.aspx>> >>>>> >>>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: nwilson123 at gmail.com <mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>> >>>>>> [mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org> <mailto:samba-bounces at lists.samba.org <mailto:samba-bounces at lists.samba.org>>] Namens Neil >>>>>> Verzonden: woensdag 20 mei 2015 12:10 >>>>>> Aan: samba >>>>>> Onderwerp: [Samba] Samba4 Disable USB ports >>>>>> >>>>>> Hi guys, >>>>>> >>>>>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another 4 >>>>>> Samba4 DC's all joined to the same AD domain myorg.local >>>>>> >>>>>> My client wants me to disable all USB ports for all the users >>>>>> joined to the >>>>>> domain. >>>>>> >>>>>> Is it possible to do this via a group policy so that users >>>>>> logging onto any >>>>>> of the DC's will not be able to use their USB ports? >>>>>> >>>>>> I currently admin my AD with a combination of the samba-tool >>>>>> as well as the >>>>>> AD Users and Groups MMC Windows utility. >>>>>> >>>>>> Any guidance is greatly appreciated. >>>>>> >>>>>> Thank you. >>>>>> >>>>>> Regards. >>>>>> >>>>>> Neil Wilson >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> >>>>>> >>>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> >>>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>